-
Notifications
You must be signed in to change notification settings - Fork 42
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(KFLUXBUGS-1581): force releaseNotes.type when cves defined #619
base: development
Are you sure you want to change the base?
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change | ||||||
---|---|---|---|---|---|---|---|---|
|
@@ -4,7 +4,7 @@ kind: Task | |||||||
metadata: | ||||||||
name: create-advisory | ||||||||
labels: | ||||||||
app.kubernetes.io/version: "4.4.1" | ||||||||
app.kubernetes.io/version: "4.4.2" | ||||||||
annotations: | ||||||||
tekton.dev/pipelines.minVersion: "0.12.1" | ||||||||
tekton.dev/tags: release | ||||||||
|
@@ -55,10 +55,10 @@ spec: | |||||||
RESULTS_FILE="$(workspaces.data.path)/$(params.resultsDirPath)/create-advisory-results.json" | ||||||||
|
||||||||
# Obtain application from snapshot | ||||||||
application=$(jq -rc .application "$(workspaces.data.path)/$(params.snapshotPath)") | ||||||||
application=$(jq -r .application "$(workspaces.data.path)/$(params.snapshotPath)") | ||||||||
|
||||||||
# Obtain origin workspace from releasePlanAdmission | ||||||||
origin=$(jq -rc '.spec.origin' "$(workspaces.data.path)/$(params.releasePlanAdmissionPath)") | ||||||||
origin=$(jq -r '.spec.origin' "$(workspaces.data.path)/$(params.releasePlanAdmissionPath)") | ||||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Hmm, this is a string, right? So yeah, I agree. But how did this work before? There must have been redundant There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. My understanding is -rc on a string works just fine, but the -c doesn't really do anything |
||||||||
|
||||||||
# Extract the advisory key and signing configMap name from the data JSON file | ||||||||
advisoryData=$(jq -c "$(params.jsonKey)" "$(workspaces.data.path)/$(params.dataPath)") | ||||||||
|
@@ -71,6 +71,20 @@ spec: | |||||||
exit 1 | ||||||||
fi | ||||||||
|
||||||||
# Ensure RHSA is only used if CVEs are provided | ||||||||
NUM_CVES=$(jq '.content.images[]?.cves.fixed // 0 | length' <<< "$advisoryData" \ | ||||||||
| awk '{sum=sum+$0} END{print sum}') | ||||||||
Comment on lines
+75
to
+76
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. You can do the sum directly with
Suggested change
But if you prefer awk, that's fine with me. |
||||||||
if [[ "$advisoryType" == "RHSA" ]] && [[ "$NUM_CVES" -eq 0 ]] ; then | ||||||||
echo "Provided advisory type is RHSA, but no fixed CVEs were listed" | ||||||||
echo "RHSA should only be used if CVEs are fixed in the advisory. Failing..." | ||||||||
exit 1 | ||||||||
fi | ||||||||
|
||||||||
# Set type to RHSA if there are fixed CVEs | ||||||||
if [[ "$NUM_CVES" -gt 0 ]] ; then | ||||||||
advisoryData=$(jq -c '.type = "RHSA"' <<< "$advisoryData") | ||||||||
fi | ||||||||
|
||||||||
pipelinerun_label="internal-services.appstudio.openshift.io/pipelinerun-uid" | ||||||||
|
||||||||
# only 2 gitlab instances are permitted...prod and staging | ||||||||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,109 @@ | ||
--- | ||
apiVersion: tekton.dev/v1 | ||
kind: Pipeline | ||
metadata: | ||
name: test-create-advisory-fail-rhsa-no-cve | ||
annotations: | ||
test/assert-task-failure: "run-task" | ||
spec: | ||
description: | | ||
Run the create-advisory task with releaseNotes.type set to RHSA but no CVEs in releaseNotes. | ||
The task should fail. | ||
workspaces: | ||
- name: tests-workspace | ||
tasks: | ||
- name: setup | ||
taskSpec: | ||
steps: | ||
- name: create-crs | ||
image: quay.io/konflux-ci/release-service-utils:e633d51cd41d73e4b3310face21bb980af7a662f | ||
script: | | ||
#!/usr/bin/env bash | ||
set -eux | ||
|
||
mkdir "$(workspaces.data.path)"/results | ||
|
||
cat > "$(workspaces.data.path)"/test_release_plan_admission.json << EOF | ||
{ | ||
"apiVersion": "appstudio.redhat.com/v1alpha1", | ||
"kind": "ReleasePlanAdmission", | ||
"metadata": { | ||
"name": "test", | ||
"namespace": "default" | ||
}, | ||
"spec": { | ||
"applications": [ | ||
"app" | ||
], | ||
"policy": "policy", | ||
"pipeline": { | ||
"pipelineRef": { | ||
"resolver": "git", | ||
"params": [ | ||
{ | ||
"name": "url", | ||
"value": "github.com" | ||
}, | ||
{ | ||
"name": "revision", | ||
"value": "main" | ||
}, | ||
{ | ||
"name": "pathInRepo", | ||
"value": "pipeline.yaml" | ||
} | ||
] | ||
}, | ||
"serviceAccountName": "sa" | ||
}, | ||
"origin": "dev" | ||
} | ||
} | ||
EOF | ||
|
||
cat > "$(workspaces.data.path)"/test_snapshot_spec.json << EOF | ||
{ | ||
"application": "myapp", | ||
"components": [ | ||
{ | ||
"name": "comp", | ||
"repository": "quay.io/redhat-prod/repo" | ||
} | ||
] | ||
} | ||
EOF | ||
|
||
cat > "$(workspaces.data.path)"/data.json << EOF | ||
{ | ||
"releaseNotes": { | ||
"type": "RHSA" | ||
}, | ||
"sign": { | ||
"configMapName": "cm" | ||
} | ||
} | ||
EOF | ||
workspaces: | ||
- name: data | ||
workspace: tests-workspace | ||
- name: run-task | ||
taskRef: | ||
name: create-advisory | ||
params: | ||
- name: releasePlanAdmissionPath | ||
value: "test_release_plan_admission.json" | ||
- name: snapshotPath | ||
value: "test_snapshot_spec.json" | ||
- name: dataPath | ||
value: "data.json" | ||
- name: resultsDirPath | ||
value: "results" | ||
- name: synchronously | ||
value: "false" | ||
- name: pipelineRunUid | ||
value: $(context.pipelineRun.uid) | ||
runAfter: | ||
- setup | ||
workspaces: | ||
- name: data | ||
workspace: tests-workspace |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,174 @@ | ||
--- | ||
apiVersion: tekton.dev/v1 | ||
kind: Pipeline | ||
metadata: | ||
name: test-create-advisory-overwrite-type | ||
spec: | ||
description: | | ||
Run the create-advisory task with a releaseNotes.type that is not RHSA, but CVEs present in releaseNotes. | ||
The type should be overwritten to RHSA. | ||
workspaces: | ||
- name: tests-workspace | ||
tasks: | ||
- name: setup | ||
taskSpec: | ||
steps: | ||
- name: create-crs | ||
image: quay.io/konflux-ci/release-service-utils:e633d51cd41d73e4b3310face21bb980af7a662f | ||
script: | | ||
#!/usr/bin/env bash | ||
set -eux | ||
|
||
mkdir "$(workspaces.data.path)"/results | ||
|
||
cat > "$(workspaces.data.path)"/test_release_plan_admission.json << EOF | ||
{ | ||
"apiVersion": "appstudio.redhat.com/v1alpha1", | ||
"kind": "ReleasePlanAdmission", | ||
"metadata": { | ||
"name": "test", | ||
"namespace": "default" | ||
}, | ||
"spec": { | ||
"applications": [ | ||
"app" | ||
], | ||
"policy": "policy", | ||
"pipeline": { | ||
"pipelineRef": { | ||
"resolver": "git", | ||
"params": [ | ||
{ | ||
"name": "url", | ||
"value": "github.com" | ||
}, | ||
{ | ||
"name": "revision", | ||
"value": "main" | ||
}, | ||
{ | ||
"name": "pathInRepo", | ||
"value": "pipeline.yaml" | ||
} | ||
] | ||
}, | ||
"serviceAccountName": "sa" | ||
}, | ||
"origin": "dev" | ||
} | ||
} | ||
EOF | ||
|
||
cat > "$(workspaces.data.path)"/test_snapshot_spec.json << EOF | ||
{ | ||
"application": "myapp", | ||
"components": [ | ||
{ | ||
"name": "comp", | ||
"repository": "quay.io/redhat-prod/repo" | ||
} | ||
] | ||
} | ||
EOF | ||
|
||
cat > "$(workspaces.data.path)"/data.json << EOF | ||
{ | ||
"releaseNotes": { | ||
"type": "RHEA", | ||
"content": { | ||
"images": [ | ||
{ | ||
"containerImage": "foo", | ||
"cves": { | ||
"fixed": { | ||
"CVE-123": { | ||
"components": [ | ||
"pkg:rpm/foo" | ||
] | ||
} | ||
} | ||
} | ||
} | ||
] | ||
} | ||
}, | ||
"sign": { | ||
"configMapName": "cm" | ||
} | ||
} | ||
EOF | ||
workspaces: | ||
- name: data | ||
workspace: tests-workspace | ||
- name: run-task | ||
taskRef: | ||
name: create-advisory | ||
params: | ||
- name: releasePlanAdmissionPath | ||
value: "test_release_plan_admission.json" | ||
- name: snapshotPath | ||
value: "test_snapshot_spec.json" | ||
- name: dataPath | ||
value: "data.json" | ||
- name: resultsDirPath | ||
value: "results" | ||
- name: synchronously | ||
value: "false" | ||
- name: pipelineRunUid | ||
value: $(context.pipelineRun.uid) | ||
runAfter: | ||
- setup | ||
workspaces: | ||
- name: data | ||
workspace: tests-workspace | ||
- name: check-result | ||
workspaces: | ||
- name: data | ||
workspace: tests-workspace | ||
runAfter: | ||
- run-task | ||
taskSpec: | ||
workspaces: | ||
- name: data | ||
steps: | ||
- name: check-result | ||
image: quay.io/konflux-ci/release-service-utils:e633d51cd41d73e4b3310face21bb980af7a662f | ||
script: | | ||
#!/usr/bin/env bash | ||
set -ex | ||
|
||
# Count the number of InternalRequests | ||
requestsCount=$(kubectl get InternalRequest -o json | jq -r '.items | length') | ||
|
||
# Check if the number of InternalRequests is as expected | ||
if [ "$requestsCount" -ne 1 ]; then | ||
echo "Unexpected number of InternalRequests. Expected: 1, Found: $requestsCount" | ||
exit 1 | ||
fi | ||
|
||
internalRequest=$(kubectl get InternalRequest -o json | jq -r '.items[0]') | ||
|
||
# Check the request field | ||
if [ "$(echo "$internalRequest" | jq -r '.spec.request' )" != "create-advisory" ]; then | ||
echo "InternalRequest doesn't contain 'create-advisory' in 'request' field" | ||
exit 1 | ||
fi | ||
|
||
# Check the advisory_json parameter | ||
if [[ "$(echo "$internalRequest" | jq -r '.spec.params.advisory_json' )" != \ | ||
'{"type":"RHSA"'* ]]; then | ||
echo "The advisory_json should have had its type overwritten to RHSA because there were CVEs" | ||
echo "in the releaseNotes. However, it was not" | ||
exit 1 | ||
fi | ||
finally: | ||
- name: cleanup | ||
taskSpec: | ||
steps: | ||
- name: delete-crs | ||
image: quay.io/konflux-ci/release-service-utils:e633d51cd41d73e4b3310face21bb980af7a662f | ||
script: | | ||
#!/usr/bin/env sh | ||
set -eux | ||
|
||
kubectl delete internalrequests --all |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
-r
doesn't make sense here - it's an object, not just a string. So if anything, I would change it to-c
.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No it isn't, it is a string https://github.com/konflux-ci/application-api/blob/main/api/v1alpha1/snapshot_types.go#L28